Commit graph

822 commits

Author SHA1 Message Date
Dmitry Yakovlev
572fa0249d Move SSL_DEBUG md fprintf after assignment
To avoid crash (same as #5138 fixed in 44f23cd)

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6937)
2018-08-14 08:01:14 -04:00
Matt Caswell
5df2206048 Improve fallback protection
A client that has fallen back could detect an inappropriate fallback if
the TLSv1.3 downgrade protection sentinels are present.

Fixes #6756

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)
2018-08-09 10:53:09 +01:00
Matt Caswell
de9e884b2f Tolerate encrypted or plaintext alerts
At certain points in the handshake we could receive either a plaintext or
an encrypted alert from the client. We should tolerate both where
appropriate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)
2018-08-08 10:16:58 +01:00
Matt Caswell
7426cd343d Ensure that we write out alerts correctly after early_data
If we sent early_data and then received back an HRR, the enc_write_ctx
was stale resulting in errors if an alert needed to be sent.

Thanks to Quarkslab for reporting this.

In any case it makes little sense to encrypt alerts using the
client_early_traffic_secret, so we add special handling for alerts sent
after early_data. All such alerts are sent in plaintext.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)
2018-08-08 10:16:58 +01:00
Matt Caswell
b4f001eb1a Fix a missing call to SSLfatal
Under certain error conditions a call to SSLfatal could accidently be
missed.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6872)
2018-08-08 09:58:16 +01:00
Andy Polyakov
9ef9088c15 ssl/*: switch to switch to Thread-Sanitizer-friendly primitives.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
2018-08-07 09:08:23 +02:00
Matt Caswell
1cde025957 Ensure we send an alert on error when processing a ticket
In some scenarios the connection could fail without an alert being sent.
This causes a later assertion failure.

Thanks to Quarkslab for reporting this.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6852)
2018-08-06 14:09:29 +01:00
Benjamin Kaduk
1c4aa31d79 Normalize SNI hostname handling for SSL and SSL_SESSION
In particular, adhere to the rule that we must not modify any
property of an SSL_SESSION object once it is (or might be) in
a session cache.  Such modifications are thread-unsafe and have
been observed to cause crashes at runtime.

To effect this change, standardize on the property that
SSL_SESSION->ext.hostname is set only when that SNI value
has been negotiated by both parties for use with that session.
For session resumption this is trivially the case, so only new
handshakes are affected.

On the client, the new semantics are that the SSL->ext.hostname is
for storing the value configured by the caller, and this value is
used when constructing the ClientHello.  On the server, SSL->ext.hostname
is used to hold the value received from the client.  Only if the
SNI negotiation is successful will the hostname be stored into the
session object; the server can do this after it sends the ServerHello,
and the client after it has received and processed the ServerHello.

This obviates the need to remove the hostname from the session object
in case of failed negotiation (a change that was introduced in commit
9fb6cb810b in order to allow TLS 1.3
early data when SNI was present in the ClientHello but not the session
being resumed), which was modifying cached sessions in certain cases.
(In TLS 1.3 we always produce a new SSL_SESSION object for new
connections, even in the case of resumption, so no TLS 1.3 handshakes
were affected.)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)
2018-07-20 07:12:24 -05:00
Benjamin Kaduk
4cc968df40 const-ify some input SSL * arguments
These tiny functions only read from the input SSL, and we are
about to use them from functions that only have a const SSL* available,
so propagate const a bit further.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)
2018-07-20 07:12:24 -05:00
Matt Caswell
d8434cf856 Validate legacy_version
The spec says that a client MUST set legacy_version to TLSv1.2, and
requires servers to verify that it isn't SSLv3.

Fixes #6600

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6747)
2018-07-20 10:52:02 +01:00
Matt Caswell
1c1e4160e0 Don't skip over early_data if we sent an HRR
It is not valid to send early_data after an HRR has been received.

Fixes #6734

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6737)
2018-07-19 12:46:43 +01:00
Matt Caswell
d162340d36 Fix no-psk
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6724)
2018-07-17 11:07:22 +01:00
Matt Caswell
5f26ddff7e Always issue new tickets when using TLSv1.3 stateful tickets
Previously we were failing to issue new tickets if a resumption attempt
failed.

Fixes #6654

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6722)
2018-07-17 10:12:10 +01:00
Matt Caswell
84475ccb70 Don't remove sessions from the cache during PHA in TLSv1.3
If we issue new tickets due to post-handshake authentication there is no
reason to remove previous tickets from the cache. The code that did that
only removed the last session anyway - so if more than one ticket got
issued then those other tickets are still valid.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6722)
2018-07-17 10:12:10 +01:00
Matt Caswell
baa45c3e74 As a server don't select TLSv1.3 if we're not capable of it
Check that we are either configured for PSK, or that we have a TLSv1.3
capable certificate type. DSA certs can't be used in TLSv1.3 and we
don't (currently) allow GOST ones either (owing to the lack of standard
sig algs).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6650)
2018-07-13 18:14:29 +01:00
Matt Caswell
4fd12788eb Use ssl_version_supported() when choosing server version
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6650)
2018-07-13 18:14:29 +01:00
Matt Caswell
4cb004573a Remove TLSv1.3 tickets from the client cache as we use them
Tickets are supposed to be single use so we remove them from the cache on
use.

Fixes #6377

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6601)
2018-07-03 09:44:46 +01:00
Matt Caswell
1f1563216d Restore behaviour from commit 36ff232cf that was incorrectly removed
In TLSv1.2 and below we should remove an old session from the client
session cache in the event that we receive a new session ticket from the
server.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6601)
2018-07-03 09:44:35 +01:00
Matt Caswell
c9598459b6 Add setters to set the early_data callback
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6469)
2018-07-02 15:06:12 +01:00
Matt Caswell
5d263fb78b Make the anti-replay feature optional
Fixes #6389

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6469)
2018-07-02 15:06:12 +01:00
Matt Caswell
b6ff436fcb Fix a NULL ptr deref in error path in tls_process_cke_dhe()
Fixes #6574

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6593)
2018-07-02 14:42:13 +01:00
Matt Caswell
e880d4e58d Use stateful tickets if we are doing anti-replay
During anti-replay we cache the ticket anyway, so there is no point in
using a full stateless ticket.

Fixes #6391

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6563)
2018-06-26 18:09:46 +01:00
Matt Caswell
6cc0b3c217 Respect SSL_OP_NO_TICKET in TLSv1.3
Implement support for stateful TLSv1.3 tickets, and use them if
SSL_OP_NO_TICKET is set.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6563)
2018-06-26 18:09:46 +01:00
Matt Caswell
6a11d5c5ed Restructure the ticket construction code
Separate out as a new function the code to write out data which is specific
to a stateless ticket.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6563)
2018-06-26 18:09:46 +01:00
Matt Caswell
c35e96691f Don't change a session once its in the cache
Sessions should be immutable once they are in the cache because they could
be shared with other threads. If you change them then this can cause
corruptions and races

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6561)
2018-06-25 12:08:53 +01:00
Matt Caswell
fb62e47c78 Don't send a warning alert in TLSv1.3
TLSv1.3 ignores the alert level, so we should suppress sending of
warning only alerts.

Fixes #6211

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6370)
2018-06-11 15:46:21 +01:00
Matt Caswell
10bda8f8dd Reformulate the if condition in tls_process_new_session_ticket
Improves readability

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6415)
2018-06-07 10:58:35 +01:00
Matt Caswell
6cf2dbd9fa Don't store the ticket nonce in the session
We generate the secrets based on the nonce immediately so there is no
need to keep the nonce.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6415)
2018-06-07 10:58:35 +01:00
Matt Caswell
4ff1a52666 Fix TLSv1.3 ticket nonces
All tickets on a connection need to have a unique nonce. When this was
originally implemented we only ever sent one ticket on the conneciton so
this didn't matter. We were just using the value 0. Now we can get multiple
tickets to we need to start doing the ticket nonce properly.

Fixes #6387

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6415)
2018-06-07 10:58:35 +01:00
Matt Caswell
bceae201b4 EVP_MD_size() can return an error
Fix some instances where we weren't checking the error return.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6373)
2018-05-31 10:39:13 +01:00
Matt Caswell
1aac20f509 Fix no-ec in combination with no-dh
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6321)
2018-05-22 13:21:24 +01:00
Matt Caswell
36ff232cf2 Change the default number of NewSessionTickets we send to 2
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
2018-05-17 16:48:25 +01:00
Matt Caswell
9d0a8bb71e Enable the ability to set the number of TLSv1.3 session tickets sent
We send a session ticket automatically in TLSv1.3 at the end of the
handshake. This commit provides the ability to set how many tickets should
be sent. By default this is one.

Fixes #4978

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
2018-05-17 16:48:25 +01:00
Matt Caswell
73cc84a132 Suport TLSv1.3 draft 28
Also retains support for drafts 27 and 26

Fixes #6257

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6258)
2018-05-15 10:02:59 +01:00
Matt Caswell
a925e7dbf4 Don't memcpy the contents of an empty fragment
In DTLS if we have buffered a fragment for a zero length message (e.g.
ServerHelloDone) then, when we unbuffered the fragment, we were attempting
to memcpy the contents of the fragment which is zero length and a NULL
pointer. This is undefined behaviour. We should check first whether we
have a zero length fragment.

Fixes a travis issue.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6223)
2018-05-12 09:59:02 +01:00
Matt Caswell
61fb59238d Rework the decrypt ticket callback
Don't call the decrypt ticket callback if we've already encountered a
fatal error. Do call it if we have an empty ticket present.

Change the return code to have 5 distinct returns codes and separate it
from the input status value.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:09 +01:00
Matt Caswell
c0638adeec Fix ticket callbacks in TLSv1.3
The return value from the ticket_key callback was not properly handled in
TLSv1.3, so that a ticket was *always* renewed even if the callback
requested that it should not be.

Also the ticket decrypt callback was not being called at all in TLSv1.3.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:08 +01:00
Matt Caswell
f7506416b1 Keep the DTLS timer running after the end of the handshake if appropriate
During a full handshake the server is the last one to "speak". The timer
should continue to run until we know that the client has received our last
flight (e.g. because we receive some application data).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6170)
2018-05-08 09:40:17 +01:00
Matt Caswell
f20404fce9 Don't fail on an out-of-order CCS in DTLS
Fixes #4929

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6170)
2018-05-08 09:40:17 +01:00
Matt Caswell
447cc0ad73 In a reneg use the same client_version we used last time
In 1.0.2 and below we always send the same client_version in a reneg
ClientHello that we sent the first time around, regardless of what
version eventually gets negotiated. According to a comment in
statem_clnt.c this is a workaround for some buggy servers that choked if
we changed the version used in the RSA encrypted premaster secret.

In 1.1.0+ this behaviour no longer occurs. This restores the original
behaviour.

Fixes #1651

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6059)
2018-04-24 09:54:31 +01:00
Matt Caswell
22eb2d1c80 Remove some logically dead code
This dead code should have been removed as part of #5874 but got missed.

Found by Coverity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6049)
2018-04-24 09:16:20 +01:00
Matt Caswell
4ce787b97a Make sure SSL_in_init() returns 0 at SSL_CB_HANDSHAKE_DONE
In 1.1.0 and before calling SSL_in_init() from the info_callback
at SSL_CB_HANDSHAKE_DONE would return 0. This commit fixes it so
that it does again for 1.1.1. This broke Node.

Fixes #4574

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6019)
2018-04-20 11:46:12 +01:00
Matt Caswell
a682365728 Check the return from EVP_PKEY_get0_DH()
Fixes #5934

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5983)
2018-04-17 17:09:09 +01:00
Matt Caswell
7f9f5f71e4 Make sure info callback knows about all handshake start events
The first session ticket sent by the server is actually tacked onto the
end of the first handshake from a state machine perspective. However in
reality this is a post-handshake message, and should be preceeded by a
handshake start event from an info callback perspective.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)
2018-04-17 16:51:03 +01:00
Matt Caswell
c2c1d8a495 Call the info callback on all handshake done events
Fixes #5721

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)
2018-04-17 16:51:03 +01:00
Matt Caswell
ded4a83d31 Ignore the status_request extension in a resumption handshake
We cannot provide a certificate status on a resumption so we should
ignore this extension in that case.

Fixes #1662

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5896)
2018-04-17 16:41:01 +01:00
Rich Salz
cdb10bae3f Set error code on alloc failures
Almost all *alloc failures now set an error code.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5842)
2018-04-03 11:31:16 -04:00
Kurt Roeckx
4cffafe967 Use the private RNG for data that is not public
Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Fixes: #4641
GH: #4665
2018-04-02 22:22:43 +02:00
Matt Caswell
803cc8c7d4 Revert commit 4a56d9a2
We have been unable to trace the contributor of that code to gain their
agreement for the licence change so the code has to be removed.

This commit reverts that contribution. The contribution had no functional
impact so the original way of doing things is still valid. However the
surrounding code has changed significantly so that the exact code as it
was orignally cannot be used. This commit uses the original code as a basis,
but rewrites it to use the PACKET API.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5808)
2018-03-30 19:28:33 +01:00
Rich Salz
c6d38183d6 Rewrite the X509->alert mapping code
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5780)
2018-03-28 15:34:16 -04:00
Matt Caswell
dcf8b01f44 Tolerate a Certificate using a non-supported group on server side
If a server has been configured to use an ECDSA certificate, we should
allow it regardless of whether the server's own supported groups list
includes the certificate's group.

Fixes #2033

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5601)
2018-03-28 15:08:09 +01:00
Philippe Antoine
dee0cc108f statem/statem_clnt.c: omit redundant check in tls_construct_client_hello.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5729)
2018-03-27 20:03:15 +02:00
Matt Caswell
9d5db9c9ab Assert that alpn_selected is NULL before we assign it
The alpn_selected value in the session should be NULL before we first
populate it if this is a new session. We assert to make sure it is.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5715)
2018-03-27 16:19:17 +01:00
Matt Caswell
424afe931e Don't wait for dry at the end of a handshake
For DTLS/SCTP we were waiting for a dry event during the call to
tls_finish_handshake(). This function just tidies up various internal
things, and after it completes the handshake is over. I can find no good
reason for waiting for a dry event here, and nothing in RFC6083 suggests
to me that we should need to. More importantly though it seems to be
wrong. It is perfectly possible for a peer to send app data/alerts/new
handshake while we are still cleaning up our handshake. If this happens
then we will never get the dry event and so we cannot continue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5084)
2018-03-21 10:27:29 +00:00
Matt Caswell
2e92af5ea5 Check for alerts while waiting for a dry event
At a couple of points in a DTLS/SCTP handshake we need to wait for a dry
event before continuing. However if an alert has been sent by the peer
then we will never receive that dry event and an infinite loop results.

This commit changes things so that we attempt to read a message if we
are waiting for a dry event but haven't got one yet. This should never
succeed, but any alerts will be processed.

Fixes #4763

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5084)
2018-03-21 10:27:29 +00:00
Peter Wu
696de86f8e Fix stack-use-after-scope
Fixes regression from #5667.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5701)
2018-03-21 09:38:07 +00:00
Todd Short
4bfb96f2ad Place ticket keys into secure memory
Place the session ticket AES and HMAC keys into secure memory.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2351)
2018-03-19 11:07:08 -04:00
Matt Caswell
c2b290c3d0 Fix no-psk
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5667)
2018-03-19 14:47:12 +00:00
Kurt Roeckx
16cfc2c90d Don't use a ssl specific DRBG anymore
Since the public and private DRBG are per thread we don't need one
per ssl object anymore. It could also try to get entropy from a DRBG
that's really from an other thread because the SSL object moved to an
other thread.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5547)
2018-03-19 15:04:40 +01:00
Bernd Edlinger
d4ef4fbf46 Fix a crash in SSLfatal due to invalid enc_write_ctx
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5645)
2018-03-19 14:16:54 +01:00
Matt Caswell
66d7de1634 Add an anti-replay mechanism
If the server is configured to allow early data then we check if the PSK
session presented by the client is available in the cache or not. If it
isn't then this may be a replay and we disallow it. If it is then we allow
it and remove the session from the cache. Note: the anti-replay protection
is not used for externally established PSKs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5644)
2018-03-19 12:21:41 +00:00
Matt Caswell
f023ba2df8 Don't update the session cache when processing a client certificate in TLSv1.3
We should only update the session cache when we issue a NewSessionTicket.
These are issued automatically after processing a client certificate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5644)
2018-03-19 12:21:17 +00:00
Matt Caswell
32305f8850 Always call the new_session_cb when issuing a NewSessionTicket in TLSv1.3
Conceptually in TLSv1.3 there can be multiple sessions associated with a
single connection. Each NewSessionTicket issued can be considered a
separate session. We can end up issuing multiple NewSessionTickets on a
single connection at the moment (e.g. in a post-handshake auth scenario).
Each of those issued tickets should have the new_session_cb called, it
should go into the session cache separately and it should have a unique
id associated with it (so that they can be found individually in the
cache).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5644)
2018-03-19 12:21:17 +00:00
Matt Caswell
f929439f61 Rename EVP_PKEY_new_private_key()/EVP_PKEY_new_public_key()
Renamed to EVP_PKEY_new_raw_private_key()/EVP_new_raw_public_key() as per
feedback.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
e32b52a27e Add support for setting raw private HMAC keys
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
16ff13427f Only update the server session cache when the session is ready
In TLSv1.3 the session is not ready until after the end of the handshake
when we are constructing the NewSessionTicket.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5621)
2018-03-15 08:59:27 +00:00
Matt Caswell
27e462f1b0 Only allow supported_versions in a TLSv1.3 ServerHello
As per the latest text in TLSv1.3 draft-26

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5604)
2018-03-14 09:51:20 +00:00
Benjamin Saunders
3fa2812f32 Introduce SSL_CTX_set_stateless_cookie_{generate,verify}_cb
These functions are similar to SSL_CTX_set_cookie_{generate,verify}_cb,
but used for the application-controlled portion of TLS1.3 stateless
handshake cookies rather than entire DTLSv1 cookies.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5463)
2018-03-12 19:34:13 +00:00
Todd Short
df0fed9aab Session Ticket app data
Adds application data into the encrypted session ticket

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3802)
2018-03-12 10:31:09 +00:00
Benjamin Kaduk
ee36b963ae Reuse extension_is_relevant() in should_add_extension()
At the core of things is the concept that each extension is only
defined in certain context(s) -- the ClientHello, EncryptedExtensions,
etc., and sometimes only for a specific protocol or protocol range;
we want to enforce that we only parse or generate extensions in the
context(s) for which they are defined.  There is some subtlety here,
in that the protocol version in use is not known when generating the
ClientHello (but it is known when the ClientHello extensions are
being parsed!), so the SSL_IS_TLS13() macro must be used with caution.
Nonetheless, by making assertions about whether we are acting in a
server role and whether the current context is (not) a ClientHello,
we can consolidate almost all of the logic for determining whether
an extension is permitted in a given protocol message, whether we
are generating or parsing that message.

The only logic that remains separate relates to generating the ClientHello,
as it depends on an external factor (the maximum permitted TLS version) that
is not defined in the parsing context.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2945)
2018-03-09 11:17:32 -06:00
Matt Caswell
e440f51395 Give more information in the SSL_stateless return code
Allow users to distinguish between an error occurring and an HRR being
issued.

Fixes #5549

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5562)
2018-03-09 11:37:58 +00:00
Matt Caswell
f3d40db1b9 Fallback on old style PSK callbacks if the new style ones aren't present
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5554)
2018-03-09 11:22:23 +00:00
Matt Caswell
e73c6eaeff Tolerate TLSv1.3 PSKs that are a different size to the hash size
We also default to SHA256 as per the spec if we do not have an explicit
digest defined.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5554)
2018-03-09 11:22:23 +00:00
Todd Short
aa2ed504ea If not sending key_share (no TLSv1.3), return appropriately.
This fixes an issue raised in PR #4964 by kaduk.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5491)
2018-03-05 13:16:33 +00:00
Matt Caswell
5de683d2c6 Fix status_request and SCT extensions
They are valid for use in a CertificateRequest message, but we did not
allow it. If a server sent such a message using either of those two
extensions then the handshake would abort.

This corrects that error, but does not add support for actually processing
the extensions. They are simply ignored, and a TODO is inserted to add
support at a later time.

This was found during interoperability testing with btls:
https://gitlab.com/ilari_l/btls

Prompted by these errors I reviewed the complete list of extensions and
compared them with the latest table in draft-24 to confirm there were no
other errors of a similar type. I did not find any.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5490)
2018-03-05 11:55:07 +00:00
Kurt Roeckx
d91f45688c Tell the ciphers which DRBG to use for generating random bytes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4672
2018-02-28 21:20:01 +01:00
Tatsuhiro Tsujikawa
b38ede8043 Export keying material using early exporter master secret
This commit adds SSL_export_keying_material_early() which exports
keying material using early exporter master secret.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5252)
2018-02-26 13:35:54 +00:00
Pauli
d592734420 Remove unreachable statement.
The return at the end isn't reachable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5442)
2018-02-23 10:55:50 +10:00
Matt Caswell
c471521243 If s->ctx is NULL then this is an internal error
Coverity was complaining because we checked if s->ctx is NULL and then
later on in the function deref s->ctx anyway. In reality if s->ctx is
NULL then this is an internal error.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5334)
2018-02-15 15:14:45 +00:00
Matt Caswell
6e99ae58c8 Ignore an s_client psk in TLSv1.3 if not TLSv1.3 suitable
The s_client psk_use_session_cb callback has a comment stating that we
should ignore a key that isn't suitable for TLSv1.3. However we were
actually causing the connection to fail. Changing the return value fixes
the issue.

Also related to this is that the early_data extension was not marked as
TLSv1.3 only which it should be.

Fixes #5202

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5205)
2018-02-14 15:42:36 +00:00
Matt Caswell
6738bf1417 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-02-13 13:59:25 +00:00
Matt Caswell
1d0c08b496 The function ssl_get_min_max_version() can fail
We should always check the return code.

This fixes a coverity issue.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5308)
2018-02-12 10:06:39 +00:00
Matt Caswell
7e70213fe3 Don't overestimate the ticket age
On the client we calculate the age of the ticket in seconds but the server
may work in ms. Due to rounding errors we could overestimate the age by up
to 1s. It is better to underestimate it. Otherwise, if the RTT is very
short, when the server calculates the age reported by the client it could
be bigger than the age calculated on the server - which should never happen.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5306)
2018-02-12 10:01:13 +00:00
Matt Caswell
5d67110173 Don't calculate the Finished MAC twice
In <= TLSv1.2 a Finished message always comes immediately after a CCS
except in the case of NPN where there is an additional message between
the CCS and Finished. Historically we always calculated the Finished MAC
when we processed the CCS. However to deal with NPN we also calculated it
when we receive the Finished message. Really this should only have been
done if we hand negotiated NPN.

This simplifies the code to only calculate the MAC when we receive the
Finished. In 1.1.1 we need to do it this way anyway because there is no
CCS (except in middlebox compat mode) in TLSv1.3.

Coincidentally, this commit also fixes the fact that no-nextprotoneg does
not currently work in master.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5285)
2018-02-09 15:27:32 +00:00
Tatsuhiro Tsujikawa
1f5878b8e2 Make sure that exporting keying material is allowed
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4944)
2018-02-02 23:54:14 +00:00
Todd Short
e43e6b1951 Fix some minor code nits
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2018-02-01 17:07:56 +00:00
Todd Short
9d75dce3e1 Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA

Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.

Update SSL_CTX_set_verify()/SSL_set_verify() mode:

* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.

* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.

Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options

Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha

Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code

Update documentation

Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests

DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error

Update handshake context to deal with PHA.

The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.

After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.

This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2018-02-01 17:07:56 +00:00
Matt Caswell
848a950b71 Fix some instances of the wrong alert type being sent
In a few places we sent an internal_error alert instead of a decode_error.

Fixes #5213
Fixes #5214

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5219)
2018-02-01 10:28:49 +00:00
Matt Caswell
3faa07b582 Move decisions about whether to accept reneg into the state machine
If a server receives an unexpected ClientHello then we may or may not
accept it. Make sure all such decisions are made in the state machine
and not in the record layer. This also removes a disparity between the
TLS and the DTLS code. The TLS code was making this decision in the
record layer, while the DTLS code was making it later.

Finally it also solves a problem where a warning alert was being sent
during tls_setup_handshake() and the function was returning a failure
return code. This is problematic because it can be called from a
transition function - which we only allow fatal errors to occur in.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5190)
2018-01-30 11:28:12 +00:00
Benjamin Kaduk
c589c34e61 Add support for the TLS 1.3 signature_algorithms_cert extension
The new extension is like signature_algorithms, but only for the
signature *on* the certificate we will present to the peer (the
old signature_algorithms extension is still used for signatures that
we *generate*, i.e., those over TLS data structures).

We do not need to generate this extension, since we are the same
implementation as our X.509 stack and can handle the same types
of signatures, but we need to be prepared to receive it, and use the received
information when selecting what certificate to present.

There is a lot of interplay between signature_algorithms_cert and
signature_algorithms, since both affect what certificate we can
use, and thus the resulting signature algorithm used for TLS messages.
So, apply signature_algorithms_cert (if present) as a filter on what
certificates we can consider when choosing a certificate+sigalg
pair.

As part of this addition, we also remove the fallback code that let
keys of type EVP_PKEY_RSA be used to generate RSA-PSS signatures -- the
new rsa_pss_pss_* and rsa_pss_rsae_* signature schemes have pulled
the key type into what is covered by the signature algorithm, so
we should not apply this sort of compatibility workaround.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5068)
2018-01-25 12:57:22 -06:00
Matt Caswell
97ea1e7f42 Updates following review of SSL_stateless() code
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)
2018-01-24 18:02:37 +00:00
Matt Caswell
d0debc0a1c Add a timestamp to the cookie
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)
2018-01-24 18:02:37 +00:00
Matt Caswell
e93597193d Don't send unexpected_message if we receive CCS while stateless
Probably this is the CCS between the first and second ClientHellos. It
should be ignored.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)
2018-01-24 18:02:37 +00:00
Matt Caswell
dd77962e09 Fix the cookie/key_share extensions for use with SSL_stateless()
Fixes some bugs identified during testing.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)
2018-01-24 18:02:36 +00:00
Matt Caswell
808d160161 Fix interaction between SSL_stateless() and SSL_clear()
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)
2018-01-24 18:02:36 +00:00
Matt Caswell
c36001c3a8 Fix logic around when to send an HRR based on cookies
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)
2018-01-24 18:02:36 +00:00
Matt Caswell
43054d3d73 Add support for sending TLSv1.3 cookies
This just adds the various extension functions. More changes will be
required to actually use them.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)
2018-01-24 18:02:35 +00:00
Rich Salz
44f23cd281 Move fprintf after assignment to avoid crash.
Thanks to David Vernet for reporting this.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5140)
2018-01-22 15:14:40 -05:00
Richard Levitte
3c7d0945b6 Update copyright years on all files merged since Jan 1st 2018
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5038)
2018-01-09 05:49:01 +01:00
Benjamin Kaduk
7bc2bddb14 Permit the "supported_groups" extension in ServerHellos
Although this is forbidden by all three(!) relevant specifications,
there seem to be multiple server implementations in the wild that
send it.  Since we didn't check for unexpected extensions in any
given message type until TLS 1.3 support was added, our previous
behavior was to silently accept these extensions and pass them over
to the custom extension callback (if any).  In order to avoid
regression of functionality, relax the check for "extension in
unexpected context" for this specific case, but leave the protocol
enforcment mechanism unchanged for other extensions and in other
extension contexts.

Leave a detailed comment to indicate what is going on.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4463)
2018-01-03 09:43:54 -06:00